summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Fix bind-mount-option annotation in gen/play kubeUrvashi Mohnani2022-09-06
| | | | | | | | | The format used for setting the bind-mount-options annotations in the kube yaml was incorrect and caused k8s to throw an error when trying to play the generated kube yaml. Fix the annotation format to match the rules of k8s. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* Improved Windows compatibility for machine commandArthur Sengileyev2022-09-06
| | | | Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
* updated apiv2 tests to reflect hash compat fixJason Ertel2022-09-06
| | | | Signed-off-by: Jason Ertel <jason.ertel@securityonionsolutions.com>
* api: return imageID instead of imageName, for "Image" when Podman API is queriedJosh Patterson2022-09-06
| | | | Signed-off-by: Josh Patterson <josh.patterson@securityonionsolutions.com>
* Inhibit SIGTERM during Conmon startupMatthew Heon2022-09-06
| | | | | | | | | | | | | | If we get a SIGTERM immediately after Conmon starts but before we record its PID in the database, we end up leaking a Conmon and associated OCI runtime process. Inhibit shutdown using the logic we originally wrote to prevent similar issues during container creation to prevent this problem. [NO NEW TESTS NEEDED] No real way to test this I can think of. Fixes #15557 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix example sections to follow the same formatpatrycja-guzik2022-09-06
| | | | Signed-off-by: patrycja-guzik <patrycja.k.guzik@gmail.com>
* Fix template name inconsistency Stefano Figura2022-09-06
| | | Signed-off-by: Stefano Figura <stefano@figura.im>
* service: make move to sub-cgroup non fatalGiuseppe Scrivano2022-09-06
| | | | | | | | | | | | | if we are running in a container in the root cgroup, Podman tries to move itself to a sub-cgroup. This could be a problem in a setup where the cgroups are not writeable, so just log a debug message and continue, since anyway it is a best-effort operation. Closes: https://github.com/containers/podman/issues/15498 [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Remove duplicate annotations in generated service yamlUrvashi Mohnani2022-09-06
| | | | | | | | | Don't add the same annotations as the pod yaml to the service yaml as it is not needed. [NO NEW TESTS NEEDED] Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* Compat API image remove events now have 'delete' statusMatthew Heon2022-09-06
| | | | | | | | | Change only the compat API, so we don't force a breaking change on Libpod API users. Partial fix for #15485 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* [CI:DOCS] Automatically set podman version in pkginstallerAshley Cui2022-09-06
| | | | | | Allow the pkginstaller makefile target to take advantage of Podman's version binary, alleviating the need to manually set Podman's version (and inevitably forgetting to do so). This means the pkginstaller Makefile will automatically detect what version of Podman we're packaging. Signed-off-by: Ashley Cui <acui@redhat.com>
* Allow colons in windows file pathsBrent Baude2022-09-06
| | | | | | | | | | | | the `podman save` command was failing on windows due to the use of a colon between the drive letter and first directory. the check was intended for Linux and not windows. Fixes #15247 [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* Fixes isRootfull check using qemu machine on WindowsArthur Sengileyev2022-09-06
| | | | Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
* vendor containers/psgo@v1.7.3Valentin Rothberg2022-09-06
| | | | | | | | | | | | | | Add three new capabilities that would otherwise be reported as unknown. Also add an e2e test making sure that `podman top` knows all capabilities of the current kernel. I refrained from adding a system test since this may blow up in gating tests. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Allow podman to run in an environment with keys containing spacesDaniel J Walsh2022-09-06
| | | | | | Fixes: https://github.com/containers/podman/issues/15251 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Document restrictions on transport in FROMTomas Volf2022-09-06
| | | | | | | | When using remote podman client, not all transports work as expected. So document this limitation. Fixes: containers/podman#15141 Signed-off-by: Tomas Volf <tomas.volf@showmax.com>
* Improved Windows compatibilityArthur Sengileyev2022-09-06
| | | | Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
* pass environment variables to container cloneCharlie Doern2022-09-06
| | | | | | | | the env vars are held in the spec rather than the config, so they need to be mapped manually. They are also of a different format so special handling needed to be added. All env from the parent container will now be passed to the clone. resolves #15242 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* podman save: update --compress validationHoang Thanh VO2022-09-06
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Hoang Thanh VO <111461555+ht-vo@users.noreply.github.com>
* sort hc.Binds returned from compat apiJosh Patterson2022-09-06
| | | | Signed-off-by: Josh Patterson <josh.patterson@securityonionsolutions.com>
* Cirrus: Update podman-machine commentChris Evich2022-09-06
| | | | | | Replace TODO comment with helpful hint for future maintainers. Signed-off-by: Chris Evich <cevich@redhat.com>
* podman images and friends can take one image as argumentDaniel J Walsh2022-09-06
| | | | | | Fixes: https://github.com/containers/podman/issues/15309 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [CI:DOCS] Add .DS_Store to gitignoreAshley Cui2022-09-06
| | | | | | Ignore .DS_Store, a MacOS metadata file created by the OS. Signed-off-by: Ashley Cui <acui@redhat.com>
* podman-kube@.service.in: Remove Restart=never option with typoAndrew Gunnerson2022-09-06
| | | | | | | | | | systemd expects the value of the option to be `no` instead, but this is already the default behavior. This fixes the following warning when running `systemctl status` on the unit: Failed to parse service restart specifier, ignoring: never Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
* Merge pull request #15554 from ↵OpenShift Merge Robot2022-08-31
|\ | | | | | | | | openshift-cherrypick-robot/cherry-pick-15516-to-v4.2 [v4.2] Handle an already connected network in libpod API
| * Fix #15499 already connected networkAlessandro Rossi2022-08-30
| | | | | | | | | | | | | | | | | | | | | | Compat: Treat already attached networks as a no-op Applies only to containers in created state. Maintain error in running state. Co-authored-by: Alessandro Rossi <al.rossi87@gmail.com> Co-authored-by: Brent Baude <bbaude@redhat.com> Co-authored-by: Jason T. Greene <jason.greene@redhat.com> Signed-off-by: Alessandro Rossi <al.rossi87@gmail.com> Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | Merge pull request #15539 from cevich/ec2_imgtsOpenShift Merge Robot2022-08-31
|\ \ | |/ |/| [v4.2] [CI:DOCS] Cirrus: Update meta task for EC2
| * [CI:DOCS] Cirrus: Update meta-task for EC2 imageLokesh Mandvekar2022-08-30
| | | | | | | | | | | | | | | | | | Copied from: https://github.com/containers/aardvark-dns/pull/207 Fixes: #15502 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #15533 from mtrmac/trust-4.2OpenShift Merge Robot2022-08-30
|\ \ | | | | | | podman image trust overhaul, incl. sigstore
| * | fix CI: remove hardcodeded alpine versionValentin Rothberg2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | The apiv2 test hardcoded the tag of the alpine image. Remove it to unblock CI. Fixes: #15388 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * | Preserve all unknown PolicyRequirement fields on (podman image trust set)Miloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We are unmarshaling and re-marshaling JSON, which can _silently_ drop data with the Go design decision.data. Try harder, by using json.RawMessage at least for the data we care about. Alternatively, this could use json.Decoder.DisallowUnknownFields. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Reorganize the types in policy.go a bitMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | ... to go from top to bottom. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add support for showing keyPaths in (podman image trust show)Miloslav Trmač2022-08-29
| | | | | | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Support (image trust show) for sigstoreSigned entriesMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | sigstoreSigned does not have GPG IDs, so we add N/A in that column. NOTE: this does not show the use-sigstore-attachments value from registries.d. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | BREAKING CHANGE: Change how (podman image trust show) represents multiple ↵Miloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | requirements Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Reorganize descriptionsOfPolicyRequirements a bitMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | Do the registries.d lookup once, separately from building an entry, so that we can share it across entries. Also prepare a separate res to allow adding multiple entries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Use the full descriptionsOfPolicyRequirements for the default scopeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | ... instead of taking a shortcut, e.g. not listing any keys if they are required. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Rename haveMatchRegistry to registriesDConfigurationForScopeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Just so that we don't have a boolean-named function returning a struct. Also reorder the parameters to have the container first, and the lookup key second. Shoud not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Rename tempTrustShowOutput to entryMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | Now that it is the primary return value of a small function, the long name only makes reading harder. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Split descriptionsOfPolicyRequirements out of getPolicyShowOutputMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | This will evetually allow us to use it for the default scope as well, which currently uses a simplified version. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Recognize the new lookaside names for simple signing sigstoreMiloslav Trmač2022-08-29
| | | | | | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add a unit test for trust.PolicyDescriptionMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add at least a basic unit test for the various entry types. So that we don't have to actually deal with GPG keys and /usr/bin/gpg*, parametrize the code with a gpgIDReader , and pass a fake one in the unit test. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Make the output of (podman image trust show) deterministicMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | Sort map keys instead of iterating in the Go-imposed random order. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Make most of pkg/trust package-privateMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | We now have only a few entrypoints that are called externally, so make the rest private. This will make it more obvious that we are not breaking any external users. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Move most of ImageEngine.ShowTrust into pkg/trust.PolicyDescriptionMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add support for sigstoreSigned in (podman image trust set)Miloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | NOTE: This does not edit the use-sigstore-attachments value in registries.d, similarly to how (podman image trust set) didn't set the lookaside paths for simple signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Create new policy entries together with validating inputMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | That way, we don't have to switch over trustType twice. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Improve validation of data in ImageEngine.SetTrustMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | - Also reject public keys with types that don't use them - Reject unknown trust types - And add unit tests Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntriesMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Also, actually add a basic smoke test of the core functionality. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add a variable for scopeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only process the incoming args[] (which is a single-element array for some reason) once, and use a semantic variable name for the value we care about. Should not change behavior, the only caller already supposedly ensures that len(args) == 1. Signed-off-by: Miloslav Trmač <mitr@redhat.com>